As a Service Provider connected to SURFconext, you must comply with laws and regulations concerning privacy and the safety of personal data you process about end users. Within SURFconext, this is covered by an agreement (aansluitovereenkomst). Also, you are requested to oblige to the 'Framework of Legal Standards for Cloud Services in Higher Education'.
Within eduGAIN: REFEDS Data Protection Code of Conduct
Trustworthy exchange of attributes between federations
In an interfederation (i.e., eduGAIN) context, every federation has its own set of agreements and contracts. There usually are some differences between those federations. To enable trustworthy exchange of attributes between organisations from different federations, it proved to be necessary to establish a document about privacy and data protection laws that is equal for all organisations. This document is called the REFEDS Data Protection Code of Conduct. It is based on the General Dataprotection Regulation (GDPR).
Organisations are advised to support this document to state they are a reliable partner. This will help Identity Providers from other federations to trust your service, therefore making it easier to connect their Identity Provider to your service. In a number of federations, even automatically.
How to commit to the Code of Conduct
Before you continue, please note that the agreements used by SURFconext and the Code of Conduct are almost identical. The only difference is that the Code of Conduct is more strict when it comes to information duty towards end users. Before being able to sign the Code of Conduct, you must make sure you can comply with that principle by setting up an internal process. The rest of the principles mentioned in the Code of Conduct should not pose any barriers, since they are also mentioned in the SURFconext agreements.
Please contact support@surfconext.nl if you have any questions.
Consider also v1
The current norm is v2 of the Code of Conduct. For maximum compatibility it's advised you also commit to v1 of the Code of Conduct if you can, in order to support IdP's that have not yet adopted the new standard.
How to conform is listed in CoCo v1 recipe for a service provider.
Adding the Code of Conduct to your metadata
After signing the Code of Conduct and taking all the necessary steps mentioned on this page, you can declare having signed the Code of Conduct in your metadata. You specify this in your metadata by mentioning a dedicated entity category. Also add support for v1 if you also comply with that. Again you can contact support@surfconext.nl if you have any questions about how to do this technically.